20:14:58 <t-bast> #startmeeting 20:14:58 <lightningbot> Meeting started Mon Jul 6 20:14:58 2020 UTC. The chair is t-bast. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:14:58 <lightningbot> Useful Commands: #action #agreed #help #info #idea #link #topic. 20:15:11 <t-bast> #link https://github.com/lightningnetwork/lightning-rfc/issues/789 20:15:32 <t-bast> Let's do some PRs first and we'll get back to anchors afterwards, allright? 20:15:53 <t-bast> #topic Bump our recommendations for cltv_expiry_delta 20:15:56 <t-bast> #link https://github.com/lightningnetwork/lightning-rfc/pull/785 20:16:10 <t-bast> We discussed that PR last time and agreed to raise the recommended values 20:16:31 <t-bast> I updated it to hopefully make the trade-offs a bit clearer without cluttering the spec too much, and raised default recommendations 20:17:08 <rusty> Acked on issue. 20:17:37 <roasbeef> yeah there've been some papers related to this recently 20:17:41 * rusty quickly opens a c-lightning issue to increase defaults... 20:18:02 <roasbeef> a follow up to that "flood and loot" paper analyezes the current defaults, and compares to a model of malicious hash power % for bribery attacaks 20:18:17 <roasbeef> they also look at values for csv delay as well 20:18:33 <t-bast> yes we're starting to see interesting analysis 20:18:48 <t-bast> so I really don't want to see more channels with a cltv_expiry_delta of 6 on mainnet 20:18:54 <roasbeef> this one I just referred to: https://eprint.iacr.org/2020/774 20:19:03 <roasbeef> heh yeh that's pretty low, thankfully fees are low rn, but we shouldn't get complacent 20:19:38 <roasbeef> I even see some values of like 1-4.... 20:19:43 <t-bast> daaaamn 20:19:44 <cdecker> Oh nice, my former research group 20:19:48 <roasbeef> I think part of it is education on the front of the node operator 20:20:16 <roasbeef> cdecker: yeh they've really been cranking out a ton of LN stuff this year, cool to see they continue to explore the research area 20:20:18 <t-bast> cdecker: nice! 20:20:29 <t-bast> do I have another ACK on this PR? 20:20:38 <roasbeef> pedro's group as usual also stays steady cranking out papers 20:20:42 <cdecker> Should give them a visit some time soon, would love to brainstorm in person for a change ^^ 20:20:54 <roasbeef> t-bast: down with teh idea in general, will check out the PR, +1 for being more conservative 20:21:03 <t-bast> what does "in person" mean? Long time I haven't heard that 20:21:13 <ariard> what are the new hightlights of this one compared to miner censorship described in original LN paper? 20:21:15 <roasbeef> it's like a hologram, but you can touch it 20:21:17 <t-bast> roasbeef: cool sgtm, let's defer to github then 20:21:26 <t-bast> touch it? that's digusting 20:21:34 <roasbeef> ariard: this one focuses in the game theory of bribing, with various hash rate distributions 20:22:07 <roasbeef> seciton 3.2 is what analyzes current values of csv delay and chan reserve based on their model 20:22:27 <ariard> okay do they give you an equilibrium point between HTLCC value and miner topology ? 20:23:18 <roasbeef> it's more about the extra fee to be paid to them than the value iteslf 20:23:23 <roasbeef> but ofc those are related 20:23:29 <t-bast> #topic Clarify duplicate TLV in stream 20:23:31 <t-bast> #link https://github.com/lightningnetwork/lightning-rfc/pull/777 20:23:48 <t-bast> Small PR that's been hanging around, clarifying that we disallow duplicate TLV records 20:24:04 <cdecker> ack 20:24:24 <roasbeef> lgtm'd on PR 20:24:34 <roasbeef> speaking of the OP of that PR, has anyone tried out their RGB demo stuff? 20:24:54 <t-bast> there's a working demo? 20:25:05 <roasbeef> saw some tweet 20:25:13 <roasbeef> I think it might just be on-chain stuff, and not actually channel updates yet tho 20:25:27 <roasbeef> I never fully grokked the protocol myself in the channel context tho fwiw.... 20:25:33 <t-bast> interesting, good to know they were able to make progress 20:25:38 <rusty> I thought the lack-of-dups was obvious, but yes "strictly" is better than "monotonically". 20:25:51 <cdecker> I'm helping them (RGB) along a bit 20:26:07 <rusty> Acked on issue. 20:26:09 <cdecker> Quite some interesting tech, but still a lot of road ahead 20:27:13 <cdecker> It's colored coins with off-chain protocol support. I think dr-orlovsky is in this channel as well :-) 20:27:58 <t-bast> #action Merge PR (enough acks gathered) 20:28:07 <t-bast> #topic Clarify flip(bits) 20:28:17 <t-bast> #link https://github.com/lightningnetwork/lightning-rfc/pull/779 20:28:47 <t-bast> Apart from the spellchecker, I think every implementation agrees with that change 20:28:53 <t-bast> Otherwise nothing would work on mainnet :) 20:29:19 <rusty> I'll fix spellchecker... 20:29:34 <t-bast> Thanks rusty! 20:30:37 <rusty> Though adding 'th' to the dictionary feels... dangerous... 20:30:47 <rusty> I can see th problems it will cause... 20:30:56 <t-bast> ^^ 20:31:25 * rusty elects to remove the "'th" in both places instead. 20:31:39 <t-bast> rusty: ACK 20:33:05 <rusty> force pushed with those removed... 20:33:38 <rusty> ... and "..." added. 20:33:47 <ja> thanks 20:34:41 <t-bast> #topic Static RemoteKey test vectors 20:34:46 <t-bast> #link https://github.com/lightningnetwork/lightning-rfc/pull/758 20:35:16 <roasbeef> doesn't look like the PR has chagned since last time 20:35:24 <roasbeef> there're some unresolved comments too 20:35:28 <t-bast> IIRC, the latest state was that joost found it a bit weird to have test vector that actually couldn't occur because tx amounts were impossible. 20:35:52 <t-bast> In my opinion this is mixing layers and these test vectors don't have to care about these requirements 20:36:08 <roasbeef> well they should be valid transactions, no? 20:36:15 <t-bast> But I don't have a strong feeling about it, if BlueMatt isn't around shall we let this follow up on github? 20:36:23 <roasbeef> ppl could even have libs that just refuse to make transactions like that 20:36:35 <t-bast> They can be valid bitcoin transaction and not meet reserve requirements (which are covered in a separate bolt) 20:36:51 <BlueMatt> oh oops. sorry have forgotten to follow up on that (and didnt have any meeting notifications set :( ) 20:36:54 <t-bast> otherwise the risk is that every test vector starts depending on the whole spec which is weird 20:37:05 <t-bast> Oh hey BlueMatt! 20:37:19 <BlueMatt> anyway, yes, I dont think anything has changed since last meeting, doesn't need discussion 20:37:25 <rusty> Yeah, I worked around my problems with the previous vectors for lnprototest (in particular, it's supposed to be the 42nd commitment, but the shachain is stated (0x01020304...) not derivable. 20:38:05 <t-bast> #topic Anchor outputs 20:38:06 <rusty> t-bast: it's always nice if the results are derivable from first principles, but I'd rather have test vectors than not! 20:38:08 <t-bast> #link https://github.com/lightningnetwork/lightning-rfc/pull/688 20:38:33 <t-bast> rusty: exactly :D 20:39:11 <t-bast> The latest on anchor outputs is that c-lightning and eclair are getting started on the implementation, rust-lightning as well if I'm not mistaken 20:39:17 <roasbeef> dope 20:39:20 <rusty> I'm just grateful for test vectors. Even YAML ones. (Which, it turns out, are actually JSON ones)... 20:39:42 <roasbeef> well JSON is a subset of yaml ;) 20:39:53 <rusty> roasbeef: yeah, TIL! 20:39:59 <t-bast> From what I understand, anchor outputs don't make it worse than what we have today regarding pinning attacks, so we should start with that and once we have package relay on mainnet, migrate to an anchor v2 20:40:52 <ariard> good to me, I still hope in the long term we can get rid of mempool watching 20:40:55 <t-bast> FWIW I think the state of the anchor outputs PR is ok, it's clear enough for implementers 20:41:11 <t-bast> ariard: that would be awesome 20:41:44 <ariard> should we add CPFP weight in appendix ? 20:42:02 <t-bast> I have summaries of the pinning discussions here if anyone's interested: https://github.com/t-bast/lightning-docs/blob/master/pinning-attacks.md 20:42:38 <rusty> I did have a question on the recent 668 weight increase to allow > 253 inputs on the commitment tx. That seems... weird? 20:43:13 <rusty> s/668/688/ 20:43:17 <joostjgr> hi, that was a mistake 20:43:23 <joostjgr> it must have been >253 outputs 20:43:24 <ariard> it's the tx_out 20:43:40 <joostjgr> corrected in the pr 20:45:04 <rusty> joostjgr: right... but in practice it's in the noise at that point? We require 253 minfee (though I couldn't actually find that in the spec!), which means we can't hit the bitcoin minfee? 20:45:27 <rusty> (Not to mention I think everyone grinds sigs to save a byte?) 20:46:02 <joostjgr> I think it is consistent to not do such optimizations 20:46:14 <joostjgr> We have a history ofc, but also no cost to make it consistent now 20:46:21 <joostjgr> (speaking for lnd) 20:47:25 <BlueMatt> so regarding the (afair) unresolved issue around changing the htlc tx format: There are essentially two incompatible goals here: 20:47:27 <BlueMatt> 1) we can have a goal of "the broadcaster can get the tx into the mempool/confirmed, but we dont care about allowing the non-broadcasting side any access to the tx, including seeing it, without a lot of work", then the sighash_single approach is cheaper and simpler to handle, 20:47:28 <BlueMatt> note that this is essentially the best we can do for *commitment* txn, so maybe we just rely on that for now, but 20:47:30 <BlueMatt> 2) if we want to have a more robust security model for htlc transactions today, then we can have that, but we need to ditch the sighash_single approach as previously discussed and (probably in a separate change) move towards all htlc txn being pre-signed and CSV 1, with associated state machine changes. 20:47:31 <BlueMatt> ariard indicated he thought those state machine changes may be required for ptlcs or schnorr or something, so maybe it makes sense anyway, but I dont know if its worth the effort given we cant really possibly have a decent security model today either way. 20:48:13 <rusty> Yes, but because our minimum fee is not 250 but 253, I think we don't need to take into account the extra 2 bytes for giant txs. 20:48:26 <roasbeef> sighash single ftw, it actually lets you bump the fee of the HTLC transaction, which is important since that's what you want to get in 20:48:30 <BlueMatt> I *do* think we need to make a conscious decision regarding what security model makes sense to have in mind for anchor before we charge ahead implementing here, it feels super premature. 20:49:04 <roasbeef> idk if it's "charging ahead", given it's an issue today, and there're implementations that're deployed that want to help mnitigate things for their users 20:49:04 <BlueMatt> roasbeef: that doesnt add anything given the commitment transaction got in. 20:49:22 <roasbeef> BlueMatt: ofc it does, for second level transactions, only once that's in can you consider the HTLC "rsolved" 20:49:48 <BlueMatt> roasbeef: the current anchor outputs design was written up months before we found a whole series of critical issues in lightning that are highly related. it seems worth discussing those issues before committing to a path forward... 20:49:50 <t-bast> BlueMatt: I don't see how the suggestion of pre-signed changes anything, you can still pin in miners mempool one tx and have a different one for the rest of the network, so the honest participant won't be able to learn about it either 20:50:40 <ariard> Yeah I think that was making sense to pre-signed second stage before we realize pinning on the commitment_tx-level 20:51:01 <t-bast> BlueMatt: you simply have to wait for the timeout block: the attack broadcasts his (pre-signed) ClaimHtlc tx to miners mempool and the HTLC-timeout to the rest of the network 20:51:08 <ariard> since then we'll need package relay anyway to be secure, so at least let's make user safe against mempool congestion stucking their 2nd-stage 20:51:14 <BlueMatt> t-bast: it only helps for the htlc txn :/. essentially, if the htlc can only be resolved in one of 4 different txids, then its less of an issue and you can maybe do the blind-bumping approach, or, at least, you probably can presuming an ability to send transactions to a whole mess of nodes 20:51:33 <BlueMatt> but, indeed, for commitent txn, we're pretty much totally hosed without changes to various other things 20:51:42 <t-bast> BlueMatt: ok, so you still need to rely on a blind-bumping mechanism, in that case it's slightly better indeed 20:52:07 <ariard> blind-bumpinh wouldn't work with _current_ propagation, orphan rules 20:52:18 <t-bast> BlueMatt: but this blind-bumping is still something we don't know how to do properly, right? 20:52:23 <BlueMatt> *but* it would mean that we dont need the mess of monitoring global mempools for htlc preimages (again, however, if the attacker uses commitment txn to do an attack, you're pretty much screwed) 20:52:54 <BlueMatt> ariard: remind me why we decided that? I dont recall and I'm now thinking we were wrong, at least assuming there's only 4 valid txids that can be in the mempool and they're all csv 1 20:53:47 <ariard> BlueMatt: assuming the attacker know tx-relay topology, I can conflict-partition you and your neighboors with txid_1 and throw txid_2 in miner mempools 20:54:03 <ariard> and your blind-bump won't propagate at the boundary between subsets? 20:54:09 <BlueMatt> ariard: I dont think so? the htlc-timeouts are all cltv'd 20:55:16 <roasbeef> re blind bumping, we just anchor down all versions 20:55:17 <ariard> BlueMatt: hmmmm, but your bump is going to be an orphan at some point even if you know txid of all combinaisons 20:55:27 <roasbeef> we don't watch the mempoo 20:55:33 <BlueMatt> t-bast: you missed these lines: 20:55:37 <BlueMatt> <roasbeef> re blind bumping, we just anchor down all versions 20:55:38 <BlueMatt> <ariard> BlueMatt: hmmmm, but your bump is going to be an orphan at some point even if you know txid of all combinaisons 20:56:01 <BlueMatt> ariard: i mean if it is that means the htlc-success isnt in that nodes' mempool which is ok? 20:56:06 <ariard> roasbeef: you don't watch the mempool ? How do you decide to broadcast a cpfp on to_remote of remote commitment? 20:56:09 <BlueMatt> ariard: its more complicated post-timeout, I thinkk, though? 20:56:13 <roasbeef> in practice, we haven't run into any issues with that 20:56:51 <roasbeef> ariard: if we force close, we anchor them all down 20:56:56 <t-bast> Thanks 20:57:09 <BlueMatt> roasbeef: I'm confused what you're referring to, here? 20:57:25 <ariard> roasbeef: right, but you anchor local and remote commitment but only one of them will propagate 20:57:48 <joostjgr> local, remote commitment and the remote pending one if it exists. three max 20:58:31 <roasbeef> ariard: yeah, so which ever one confirms is fine 20:58:45 <BlueMatt> roasbeef: you're saying that when you receive an error message you just broadcast all possible anchors on the latest commitment tx? 20:59:01 <BlueMatt> roasbeef: have you read ariard's list of attacks in the email thread? 20:59:04 <ariard> BlueMatt: with your blind-bumping how do you jump across a conflict-partition between previous_commitment_tx+HTLC-Success/commitment_tx+HTLC-Success 20:59:04 <roasbeef> if we then decide there's a new for us to bump, we can do that 20:59:08 <roasbeef> yeh 20:59:34 <BlueMatt> ariard: I'm presuming csv-1, so the commitment tx must be on-chain before anything relays 20:59:37 <t-bast> ariard: I think that's still unknown, and probably out of the normal bitcoin p2p relay :/ 21:00:09 <ariard> BlueMatt: ah yes miss this point so yes you can know which version you have to bump, but that's not a blind one anymore :p 21:00:10 <t-bast> BlueMatt: but even with that, the attacker can still sneak in right after the block confirmation, right? 21:00:18 <BlueMatt> roasbeef: sooo, this conversation isnt about commitment txn, I'm not really sure what you're referring to here? or are you suggesting something about commitment txn applies to htlc txn? 21:00:18 <ariard> assuming it's pre-signed 21:00:39 <BlueMatt> ariard: well, its not *really* blind, its only blind in that you dont really have to look at the mempool to know whats there 21:00:56 <BlueMatt> t-bast: it relies pretty heavily on rebroadcasting, I think 21:01:02 <BlueMatt> but, I think thats maybe ok? 21:01:04 <roasbeef> was talking about the way you anchor down w/e may get in 21:01:10 <ariard> BlueMatt: gotcha, was confused with your other ideas of noinput+cpfp, also called blind-bumping at some point 21:01:34 <t-bast> BlueMatt: but that's where the attacker can fill the network's mempool to create the partition and prevent p2p relay...unless I'm still missing something 21:01:34 <BlueMatt> ariard: ah, right, I think I was maybe trying to get the same mental model to apply there, but I'm not convinced it makes sense in that context. 21:01:51 <roasbeef> the #2 above there, also means state machine changes as I've mentioned before 21:01:52 <ariard> roasbeef: yes it works if you rebroadcast every X blocks in case the remote commitment win the propagation race but the anchor on remote has always been evicted 21:01:53 <BlueMatt> roasbeef: right, ok, so you're just saying that you think blind bumping makes sense in general? 21:02:12 <roasbeef> ptlc or scnhorr also doesn't really have any time frame rn, and this is a big issue today w/ more an dmore papers bringing attention to it 21:02:32 <BlueMatt> t-bast: right, I dont think there's any (current) way of addressing that except package relay, essentially 21:02:34 <roasbeef> how do we define blind bump, like bump-em-all? 21:02:47 <t-bast> BlueMatt: ok thanks, that's clear, we agree on that 21:02:55 <BlueMatt> roasbeef: essentially. yes. the idea being bump what you know could be in the mempool, but arent sure if its there 21:03:06 <roasbeef> mhmm, that's what we do rn 21:03:22 <BlueMatt> (of course that doesnt work/make sense for commitment txn cause there's millions of those, but for htlc txn we can make it work) 21:03:25 <roasbeef> our next release is going to have dynamic bumping based on cltv delay too 21:03:38 <roasbeef> and the looming deadline 21:03:41 <t-bast> roasbeef: but you can't do it anymore with the sighash_single change, you don't know the final txid of the HTLC-success / HTLC-timeout? 21:03:46 <ariard> changing state machine may take us as long as getting package relay on the base layr 21:04:01 <roasbeef> t-bast: thought we're talking about the anchor on the commitment? 21:04:12 <roasbeef> as in bump that 21:04:14 <BlueMatt> roasbeef: no, we've been talking about anchors on htlcs this entire time :) 21:04:29 <ariard> yes we already do bumping based on cltv_delay limit approaching 21:04:36 <roasbeef> i don't think that revocation thing is an issue, only what matters is what gets in the chain 21:04:43 <ariard> actually we do this for any kind of transaction, not only HTLC claiming 21:04:47 <BlueMatt> ariard: I dont see why adding one more message to the state machine should take years? 21:05:02 <roasbeef> t-bast: the single change means you can aggregate htlcs, and also include the second level htlc transaction bunlded w/ _other_ transactions that you might've already been doing as well 21:05:08 <t-bast> roasbeef: even for commitment tx, the attack ariard described ensures your bumps will never propagate... 21:05:09 <BlueMatt> roasbeef: you should go read ariard's email! I promise its quite excellent 21:05:14 <roasbeef> the devil is always in the details 21:05:19 <roasbeef> re state machine changes 21:05:23 <t-bast> I mean ariard's attack on the ML 21:05:25 <roasbeef> which already is rather underdefined int eh spec 21:05:54 <ariard> roasbeef: timelocks being committed by sighash in pratice that's pretty limited for HTLC-timeout, but still a gain for preimage ones 21:06:14 <roasbeef> ariard: nah, we already time lock transactions we do from the normal wallet 21:06:20 <roasbeef> the timelock value 21:06:25 <t-bast> roasbeef: yeah I agree that the sighash change does have a lot of good things for the honest participant, it's just sad that it also has a few drawbacks that help attackers...trade-offs, trade-offs everywhere 21:06:25 <roasbeef> but yeh nice for sweeps too 21:06:50 <roasbeef> t-bast: yeh tradeoffs, so lets satisfice and get something out to protect our users from even the non-adversarial cases where they could lose out 21:07:10 <BlueMatt> t-bast: so, I think re: flooding the mempool I'm maybe a tiny bit less worried about that attack, especially for attacking htlc txn. 21:07:16 <roasbeef> as this threat model has just been continually expanding 21:07:19 <BlueMatt> roasbeef: we've got two options here, both accomplish that. 21:07:24 <roasbeef> it's a mistake to try to solve everything in one swoop 21:07:31 <BlueMatt> no one is suggesting we do that 21:07:41 <roasbeef> when even w/o 3rd parties interacting, bad things can happen rn 21:07:44 <t-bast> but overall I think we should still move forward with anchor outputs and the sighash changes, it allows us to implement a lot of things that will be useful later when we have package relay to tackle the latest threat model updates 21:07:49 <BlueMatt> but lets also please *not* charge forward with something that we'll have to undo six months later 21:08:01 <ariard> I think we want more to agree on how we are going to solve every attach and be sure we dom't do 2 steps forward 1 backward 21:08:07 <ariard> *attack 21:08:09 <roasbeef> charge forward is relative here, given that this is also a link level change, this isn't bitcoin script 21:08:10 <BlueMatt> t-bast: well, i mean, no, once we get package relay I think we'll move towards anchor on the htlc txn 21:08:14 <BlueMatt> not sure, but I think. 21:08:20 <roasbeef> what we deployed has been ready for 6+ months already 21:08:37 <ariard> yes anchor-ouput current version is goodd against mempool-congestion unsafeties 21:08:39 <roasbeef> none of the package relay or ptlc or scnhorr stuff even has a realistic time frame 21:08:40 <joostjgr> ariard: what is the heuristic that you use for bumping when the cltv limit approaches? 21:09:11 <ariard> joostjgr: you mean to increase feerate or decide when the next bumping happens? 21:09:30 <joostjgr> the 'curve' that you walk along towards expiration 21:09:35 <t-bast> BlueMatt: maybe, but I think we can phase things to update from anchor outputs (the current one), can't we? 21:09:55 <BlueMatt> roasbeef: we've been talking about it for ~3 years, so, yea, I think the rush given we've learned more in the past month than in three years is somewhat strange. anyway, it seems worth having the conversion. given we maybe are getting some clarity on what things will look like when we get to an actually-secure lightning mempool model. 21:10:13 <t-bast> Because I think we can realistically have the current anchor outputs proposal shipped in less than 3 months, which solves many issues we have today (and simpler attacks than the pinning ones) 21:10:14 <roasbeef> BlueMatt: yeah i know, i was part of the original convos, i'm talking baout this conrete version 21:10:43 <BlueMatt> t-bast: sure, I mean we can also have current anchors-but-only-on-the-commitment-txn shipped even quicker, though :) 21:10:55 <roasbeef> also we're already deployed and have active users, I can understand if RL wants to wait longer since they haven't fully "deployed yet", but the rest of us don't need to adopt that framing 21:11:03 <ariard> joostjgr: rn it's 3 modes, if less than 3 blocks, re-schedule next block, if less than 15 blocks, re-schedule in 3 blocks, if more re-schedule in 15 21:11:03 <roasbeef> we have skin in the game as is 21:11:10 <BlueMatt> roasbeef: I dont really care about RL for this stuff, tbh. 21:11:16 <roasbeef> lol wat? 21:11:21 <t-bast> BlueMatt: true, but the simple attacks that exist today on HTLCs can't be mitigated with only the commit tx changes (AFAIK) 21:11:30 <roasbeef> but y'all are implementing it..right? 21:11:53 <BlueMatt> roasbeef: as-is, I dont think anyone should be using lightning peered with anyone who isnt fully-trusted. period. and they shouldnt until we've figured this stuff out. hence why I'm trying to figure this stuff out :) 21:12:28 <ariard> roasbeef: yeah it's more important to get Lightnign right overall than just RL not being exposed there 21:12:28 <BlueMatt> t-bast: sure, but thats what the in-flight limit is for :) 21:12:30 <roasbeef> ok you're free to share that world model lol 21:12:40 <joostjgr> ariard: and which fee rates do you use then? if you get close to expiry, potentially the full value of the htlc is at stake. 21:12:53 <roasbeef> also as usual, security isn't binary 21:13:04 <t-bast> BlueMatt: yeah you can limit how much you lose, and probabilistically protect from the attack with high enough cltv_expiry_delta, but it's not a 100% protection though... 21:13:22 <BlueMatt> t-bast: sure, but none of what we're talking about is "protection" :) 21:13:23 <ariard> joostjgr: if your fee-estimator has changed since last time use it, hence a dumb 25% 21:13:41 <BlueMatt> its only a "two honest parties who screwed up their feerate selection are cooperating to get the latest state on the chain" fix 21:13:44 <roasbeef> existence of known issues or attacks against a protocol doesn't render it unusable or "broken" 21:13:54 <roasbeef> we all still use tor after all 21:14:39 <BlueMatt> eh, this probably isnt a relevant debate. 21:14:41 <ariard> same with bitcoin base layer saying it's 100% secure wouldn't be accurate 21:14:54 <joostjgr> ariard: ok. we generally republish every block with an updated fee estimate. some of those may violate bip125 rules, but we don't care. only problem is that if the conf target is high, it may still not conf in time. because it is only an estimate. so in some cases we lower the conf target when we get closer 21:15:19 <BlueMatt> I'm curious what rusty's take is 21:15:28 <BlueMatt> given he also worked on implementing this stuff and has put time in 21:16:12 <roasbeef> iirc, he's on board w/ protecting our current users, w/ what we have already, given bad things can happen rn even w/o any malicious actors 21:16:14 <ariard> joostjgr: right because you may not account for bandwidth increase? lowering the conf target is quite equivalent to bump more aggressively as I'm trying to do I think 21:16:29 <rusty> BlueMatt: it's unfixable. Bitcoin core needs to have an emergency RBF rule that says if the previous package was not in the top 4MW and the replacement would be in the top 3.2MW, it accepts it whether the other feebump rules are met or not. 21:16:42 <BlueMatt> to restate the question at hand - do we accept that the best we can do is help two-honest-counterparties get their txn on chain and stick with that model for htlc txn as well, or do we redo the htlc txn format for anchors so that we can get better security for them 21:16:46 <rusty> Then you can just bid it into the next block. 21:16:50 <roasbeef> and there's other pinning issues also outside of all this stuff even 21:16:53 <ariard> BlueMatt: mempool-congestion unsafety, even it's an edge-case (like 0.000001%) is worthy to fix 21:16:58 <BlueMatt> rusty: agreed (plus package relay) essentially. 21:17:02 <joostjgr> ariard: ok, i see. so you follow your fee estimator, but if the needle doesn't move anymore, you override with 25%? 21:17:43 <BlueMatt> rusty: (but thats somewhat a different question - i think it *is* fixable, essentially, today, for htlc txn) 21:18:04 <ariard> rusty: you also need p2p changes to relay as a package, and a way to actually compose them, either by relay or initial-sender 21:18:09 <BlueMatt> rusty: (as an aside, I've had a few productive chats recently about possibly utilizing a rule like that to fix this whole mess, or at least make it more sensible) 21:18:28 <rusty> ariard: why? 21:18:43 <t-bast> BlueMatt & Rusty: if Bitcoin offers that (in the future), we can fix the issue while keeping the sighash changes on htlc txs and not requiring anchors on HTLCs, which would be great because anchors on every HTLC are costly... 21:18:56 <BlueMatt> t-bast: I dont believe so, no. 21:18:57 <ariard> joostjgr: yes a dumb override with 25%, actually I think a more sophisticated version would try to re-bump even between blocks if you observe significant congestion increase 21:19:03 <roasbeef> also the p2p changes need to be super widely propagated to do anything 21:19:12 <BlueMatt> t-bast: I believe the sighash chages are fundamentally incompatible with fixing these issues. 21:19:17 <roasbeef> t-bast: +1 21:19:20 <BlueMatt> t-bast: at least, I dont see how to fix it) 21:19:50 <ariard> t-bast: I think we quite all agree there :) 21:20:21 <BlueMatt> rusty: because if the pre-signed commitment tx has a low fee, you have to be able to relay that commitment tx (with its low fee) and a bump txn based on it to make the whole group have a higher fee :( 21:20:24 <ariard> roabseef: yes you need to have a least a propagation path to miner mempools, so if you assume 8 outbounds peers, you might night 30% of network updages 21:20:30 <ariard> *need 21:20:56 <rusty> ariard: meh, if bitcoind just deferred evaluation of incoming low-fee txs for some (perhaps long) time, that would cover it. Turns out, that would also cover the concerns about flooding the network with cheap RBF replacements. 21:21:06 <t-bast> BlueMatt: but in the case of a confirmed commit tx, the attacker and the honest participant are competing to spend the same confirmed output: so if the honest participant can attach a high fee to his HTLC-timeout to get it to replace a low-fee pinned HTLC-success (that's hidden in far-away mempool) all his good regardless of the sighash of the HTLC-success? 21:21:26 <roasbeef> ariard: mhmm, and uprades take time...unless there's a soft-fork or something in flight 21:21:27 <t-bast> BlueMatt: ok I'm assuming we got the commitment tx confirmed 21:21:28 <ariard> BlueMatt: wait if you have package relay you can bump a pinning on 2nd-stage? 21:21:48 <rusty> Though it would change the current model where the mempool is considered something you can reliably throw lowfee txs into every few days, but that's arguably broken anyway. 21:21:49 <BlueMatt> t-bast: note that you cannot enforce the "top 4MW of the mempool" rule that rusty is just talking about here in a sighash_single tx 21:22:29 <t-bast> BlueMatt: can you detail? 21:22:32 <BlueMatt> ariard: I dont think this all works out without the "top 4MW of the mempool" rule, thing 21:22:46 <ariard> roasbeef: sure, but still you can ask LN operators to upgrade nicely their full-node to increase _our_ whole security 21:23:47 <ariard> rusty: perhaps but that sounds like a censorship vector if I can tweak your mempool rules, and still you need to reverse topology-order 21:23:49 <BlueMatt> to avoid the "but you can waste infinity bandwidth" issues, I think the elegant solution, as rusty points out, is to allow txn to carry a flag which says "I only want to get into the mempool if I'm gonna be in the next block or two" - this implies that the proability of the tx getting mined is high enough that free relay for it can be allowed (at least, hopefully, this isn't a well-socialized idea, but its at least possible) 21:23:57 <ariard> announcement to your p2p peers 21:24:11 <BlueMatt> sooo, to have package-relay-rbf you probably need such a flag (and a way of *enforcing* that that flag be set - on commitments and htlc txn) 21:25:08 <BlueMatt> rusty: I believe the larger concern of suhas' is around mempool standardness changes causing honest nodes to DoS each other by downloading the same package over and over again. 21:25:09 <ariard> BlueMatt: yes the tagging we talked offline is needed, you need a way to signal "this transaction might be part of a higher-feerate package and we need to do discovery" 21:25:34 <t-bast> can't we get clever and use specific nSequence or nLockTime values as a flag to ensure it's covered by the sighash_single sig (maybe a dumb proposal)? 21:25:42 <roasbeef> ariard: we don't really know what the propagation graph looks like, but yeh we have this new class of nodes that may be more willing to upgrade sooner 21:25:46 <t-bast> actually not nSequence then 21:25:46 <BlueMatt> rusty: also, note that the actual effort of calculating a tx's fee can for some nodes be most of the DoS potential :( 21:26:00 <BlueMatt> t-bast: yes, I presume thats how we'd do it. 21:26:01 <ariard> rusty: if you tag them, you can have different tx-relay policies per class of transacion 21:26:14 <ariard> at least with RBF you already have 2 classes 21:26:16 <roasbeef> let's remember to keep ourselves grounded, we can't count on pkg relay stuff or other mempool policy changes 21:26:27 <BlueMatt> t-bast: but, note, you cannot sighash_single|sighash_anyonecanpay such txn. 21:26:32 <roasbeef> this is a real issue today that affects all LN users, where bad stuff can happen even w/o outside interference 21:26:57 <roasbeef> input level lock-time would be amazing 21:27:00 <BlueMatt> roasbeef: yes, agreed. we should be building something to deploy today keeping in mind the end-state that we want to get to to be comfortable with the whole picture 21:27:02 <roasbeef> for stuff outside of this too 21:27:20 <roasbeef> mhmmm, and some of us havve more skin in the game than others, given they're widely deployed already 21:27:44 <roasbeef> also this is a link level upgrade, not a bitocin script upgrade, just you and your peer need to agree 21:27:45 <t-bast> BlueMatt: even if it's an `nLockTime` flag? This should be covered by the sig, isn't it? 21:27:46 <BlueMatt> ie the above is describing a potential end-state...so as to inform what we may want to do today 21:28:07 <rusty> BlueMatt: yes, failing to have a simple way of representing the fee in bitcoin txs sucks hard. 21:28:19 <ariard> BlueMatt: on this package-relay-rbf you still have to manage conflit at the relay-side between the delay time 21:28:43 <ariard> BlueMatt: and wrt to mempool Dos actually you can introduce package_id 21:28:47 <BlueMatt> rusty: anyway, you should chat with suhas! I think he's interested in maybe workng on this stuff again post-wtxid-based-relay, I'm sure you'd be super useful in helping him think through ideas :) 21:29:08 <rusty> BlueMatt: ack. 21:29:09 <BlueMatt> t-bast: I think my concern is more about having a tree of unconfirmed parents, which I thinkw ould break this 21:29:15 <ariard> to avoid a parent A being ban first for being attached with a low-feerate child 21:29:22 <ariard> and then reevaluated with a higher-feerate child 21:29:59 <t-bast> BlueMatt: ok, but we could restrict this rule/flag to only be accepted in mempools if all parents are confirmed or something like that? 21:29:59 <BlueMatt> ariard: I *think* this stuff only makes sense if the flag is set on a tx with no in-mempool parents 21:30:08 <BlueMatt> (ie commitment txn, htlc txn spending a csv-1 value) 21:30:25 <ariard> BlueMatt: yes that I meaned offline by utxo-spender opt-in! 21:31:09 <rusty> ariard: good point. You can't blacklist a tx for being too low fee, if you want it to be bumpable. 21:31:27 <BlueMatt> ariard: Hmmmm E_NO_PARSE :( 21:31:30 <rusty> OK, hard timeout for me, sorry! gtg 21:31:44 <BlueMatt> see ya rusty! can we do an audio/video call about this this/next week? 21:31:52 <roasbeef> we've spun our wheels so much on this, it's really dissapointing 21:31:57 <BlueMatt> I'm sure roasbeef will be happy if we stop chasing our tails :) 21:32:02 <ariard> BlueMatt: cf the signal conv I've answered yet! 21:32:10 <roasbeef> which is why we just deployed, as no one else had an actual urgency to deploy a solution to protect our users 21:32:20 <ariard> not answered 21:32:22 <t-bast> I'll have to drop off soon, I'd like to thank everyone for the discussion; I think it's important to acknowledge that there are issues to solve (thanks BlueMatt/ariard for pressing on those) and keep the long-term discussions going, while still making short-term progress to fix shorter term issues (thanks roasbeef/joost for the current anchor proposal) 21:32:50 <BlueMatt> roasbeef: last I heard others were way ahead of y'all on this - and actively scanning the mempools of many nodes on the network to address attacks :) 21:33:07 <roasbeef> other ppl have deployed anchors? 21:33:22 <t-bast> Trade-offs are hard, but I'm sure we'll be getting there in the long run ;) 21:33:32 <BlueMatt> t-bast: totally aggreed! tbh I mostly just want to see a conclsion on what security model we want for these things and then we should move forward as fast as possible :) 21:34:21 <t-bast> roasbeef: on it, can you lend me johan and joost for a couple of months? :D 21:34:38 <roasbeef> that's the other thing, the security model is just every growing now, it's leaked into network level node linking 21:34:42 <ariard> roasbeef: I think we agree on anchors, discussion was more on global-mempool-watching vs package-relay as security models 21:34:43 <t-bast> BlueMatt: great, I think we are making some slow progress on that, week by week ;) 21:34:53 <ariard> to fix advanced pinning 21:35:14 <BlueMatt> t-bast: yea. would be nice to schedule a more high-bandwidth chat so we can conclude this 21:35:35 <BlueMatt> I *think* we've played about enough with the issues here that we have some kind of idea whats at play and at least one or two ideas for where to go in the long-term 21:35:44 <ariard> roasbeef: yes but you can't evict the base layer model from the lightning one, and AFAIK pinning wasn't scoped in original LN paper 21:36:02 <t-bast> #action t-bast to start mail thread for video/call meeting 21:36:41 <t-bast> Allright dropping off, thanks everyone! 21:36:43 <t-bast> #endmeeting